Nirenjan’s Space

It so happened that my portable hard disk got infected with this script worm for Windows. The worm itself is, in my not so humble opinion, relatively harmless. The worm itself is not really dangerous, just a real pain in the neck. Double clicking on drives will not open the drives. Instead, you will have to right-click on the drive and select open. You will see an Autoplay option when you right click the drive.

The worm is just a simple VBScript file, which when run, copies itself to the Windows folder as well as to the root folder of all available drives. In addition, it creates a file autorun.inf that causes the script to be executed whenever the drive icon is double-clicked.

Removing the worm isn’t really that hard. However, you need to be patient as if you even double click one drive accidentally, you’ll have to redo the entire procedure from start. The steps to remove the worm are as follows. It might also help to reboot into Safe Mode and login as an administrator.

1. Go to the task manager by pressing Ctrl+Alt+Delete or Ctrl+Shift+Esc
2. Go to the processes tab and stop all wscript.exe processes.
3. Open Windows Explorer and go to Tools > Folder Options.
4. In Folder Options, uncheck the following options:
   1. Hide extensions for known file types
   2. Hide protected operating system files

   Also ensure that Show hidden files and folders option is selected and press apply.

5. Go to the registry editor by typing regedit in the Run window
6. Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
7. There should be a key called MS32DLL or something to that effect. The value for that should be C:\Windows\MS32DLL.dll.vbs. This file name can change depending on what your Windows path is and what variant of the worm you have. However, the different versions of the worm that I have seen all install themselves in the registry and this will help you in removing the worm. Anyway, note the name and check that there is a file with the same name in the root of C:.
8. Delete this file as well as autorun.inf from your C: drive as well as all other drives. Be careful not to double click on any drive to go to it as you’ll have to start deleting the files from the beginning.
9. Delete the file from your Windows folder.
10. Delete the offending key from the registry.
11. Some variants, maybe even all, modify the title bar of Internet Explorer to show the title of the web page, followed by the text “Hacked by Godzilla” or “Hacked by Moozilla” or something else, again depending on the variant. This isn’t really a problem, but if you want the original text back, go to the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. The key to be modified here is WindowTitle (I think). IE7 doesn’t seem to have an entry here, so I’m not too sure about the actual key text. Anyway, just change it to whatever you want, the default is “Microsoft Internet Explorer”
12. Restart the computer and check all drives to make sure that the Autoplay entry is no longer there on the right-click menu.
13. Congratulations. You have deleted your first worm.

Update: This worm and a host of other malware are now being created specifically to infect systems using removable media, typically USB flash disks. Inserting these disks usually causes Windows to execute the autorun scripts, if any. The autorun function can be bypassed by holding down the Shift key while inserting the disk. The Shift key needs to be held down for a few seconds until Windows can recognize the drive and add it to the list of drives in My Computer. This simple step should curtail the spread of such malware.